I have been searching high and low for development software that meets the following criteria:
- Connects to web based version control
- Has functional reference for PHP
- Runs on multiple platforms (PC/Mac)
And the good news is, I have finally found a solution… Continue reading We’ve got something here…
My dad and sister once wrote a movie that was loosely based on an old western by Clint Eastwood – and it was named “Cheaters Always Win”. You will never guess who came up with the title…*ahem*.
Anyway, thanks to this page:
you can win too!! These pages are great! I especially like the php and mysql versions. But they all seem equally invaluable (invaluable meaning “more than valuable”). So thanks to Dave Child for sharing.
Is it really as scratch free as they claim?
Continue reading Scratch Free! Easy Rinse Formula!
PHP Security is like manure, if you only do it in one spot – it stinks, but if you spread it around, it will grow wonderful things.
When I used to hear about different php packages being compromised (see netcraft.com regarding phpBB for instance) I would immediately brush it off as a fluke or the work of some nerd with WAY too much time on his/her hands who was instigating trouble. Sometimes that profile fits. Sometimes not. Sometimes the hacker doesn’t do any harm, they are just using the exploit as a jumping off point to do damage to other sites. Sometimes that have truly malice intent.
I also thought that the only things being hacked were extremely high profile open source products or Microsoft products. Bear with me, my naivety worstens. Then I thought it might only happen to eCommerce sites.
Someone hacked my personal website (a few years ago, and which is no longer running) just because I had cool movie quotes on it. Seriously, when you look at the server logs, it was simply an attack on a php page that I wrote in my early days of learning PHP and they completely overloaded the server. They exploited one little page to bring down an entire shared hosting environment. And all because of one little security bug I overlooked to make life easier while I was writing the code…in this case:
The moral of the story, if there is one, is don’t think your scripts are safe just because they are only used on one little page on a site that hasn’t peak 1000 hits a year. You are vulnerable. And you may luck out, and the bad guys may never find out…but what if they do…
Be secure in all your form processing, variable loading, sql using and watch your website grow.
So you want to validate inputs, eh? If you said, “No”, think again.ï¿½ Well here is a little tip for you. If you are passing in any kind of number that you use as an index in a table, you better do something like this:
$val = strval(intval($_GET['val']));
“Why?” you ask?
The reason is simple (and I don’t think I am giving away any hacking secrets here) – If you are going to use this number to retrieve a value in a query, ie
"SELECT something FROM table WHERE ref = " . $_GET['val'], someone could easily – and I mean EASILY do a bait and switch like this…
If you are expecting
$_GET['val'] = "1", they could put
$_GET['val'] = "1; DELETE FROM table;"
Unclear? The way they can do this is simply this:
http://www.yoursite.com/index.php?val=1;DELETE FROM table
Do you see how easy that was? They just cleared out your table and you didn’t even have a chance. They terminated your query, and ran another one right under your nose. And you will not have a record of it except the apache logs showing the GET string. If they couldn’t figure out the table’s name, it might take a while, and you might catch them, but why take the chance?